Skip to content
Discuss with AI

Secret management for vibe coding

Now that Claude Code makes code ~free to write, most of my time in a new project is spent manually configuring env vars and secrets.

The usual approach is to write secrets to a .env file. This takes a long time (relative to how quickly Claude writes the code) and is somewhat error prone.

If I'm feeling lazy, I'll just paste the secret into Claude. This isn't ideal, as it makes a round trip to Anthropic's servers and potentially ends up in Claude's training data. Even worse, if I know I want to set up the project in multiple environments, I'll sometimes just commit secrets to the code (which lives in a private GitHub repo) instead of using an env file. I think this is fine for low risk things, as I can always do it properly and rotate the secret later, but it's not great.

There are further problems with .env files. A lot of the time I reuse the same API keys (e.g. OpenRouter) in different projects for convenience. This means I'm doing a lot of copy pasting. It also exposes the secret in many places, increasing the chances that it leaks somewhere. If that happens, I have to rotate the single API key, and then remember to update it in all my apps, or they all break.

Even if I was willing to spend the time to generate new API keys for each project, sometimes this isn't possible. I like using Telegram bots for notifications from various projects (see my Claude Code hook example), but it takes a bit of time to set up a new bot, so I tend to reuse the same bot for multiple things, maybe getting it to send messages to a different chat for each project. The problem is that Telegram only supports one API key per bot at a time, so I can't avoid the above issue.

There's also the case where I want an API key which isn't tied to a specific project. Like being able to give Claude a Replicate key to generate images with Nano Banana.

I needed a secret manager. I use 1Password for my regular passwords, so I thought the CLI might work. But it doesn't really support long lived service tokens that can access secrets without repeatedly logging in, so this was no good.

Grok told me about Infisical, which looked good. It's free and has a nice CLI. You only have to authenticate once per machine and then you can read and write secrets freely.

Setting a secret:

bash
infisical secrets set TELEGRAM_BOT_TOKEN="your-token"

Running a command with secrets injected as env vars:

bash
infisical run -- python my_script.py

The script just reads from os.environ as normal. If I rotate a secret, I update it once in Infisical and every project using infisical run gets the new value.

Here's an example from today. I wanted Claude to be able to access my Gmail. This requires setting up an OAuth client in Google Cloud. I've done this a few times for different things, so it made sense to have a single OAuth client that Claude can write scripts against whenever I need Google access. I put the client ID and client secret in Infisical. Then when we went through the OAuth flow and got a refresh token for my account, that went in there too. Now any future script that needs my Gmail can just pull the credentials from Infisical.